http-bad-user-agent Configuration

« http-bad-user-agent »
v1.2 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1

Detect usage of bad User Agent

Installation

cscli scenarios install crowdsecurity/http-bad-user-agent

Description

Detect known bad user-agents.

Bans after two requests.

YAML Configuration

1type: leaky
2format: 2.0
3#debug: true
4name: crowdsecurity/http-bad-user-agent
5description: "Detect usage of bad User Agent"
6filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "bad_user_agents.regex.txt")'
7data:
8  - source_url: https://hub-data.crowdsec.net/web/bad_user_agents.regex.txt
9    dest_file: bad_user_agents.regex.txt
10    type: regexp
11    strategy: LRU
12    size: 40
13    ttl: 10s
14capacity: 1
15leakspeed: 1m
16groupby: "evt.Meta.source_ip"
17blackhole: 2m
18labels:
19  confidence: 1
20  spoofable: 0
21  classification:
22    - attack.T1595
23  behavior: "http:scan"
24  label: "Bad User Agent"
25  service: http
26  remediation: true
27

Hub configuration

« http-bad-user-agent »v1.2 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1

« http-bad-user-agent »
v1.2 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1